Google blocks a tool called Google App Engine in Iran, indirectly allowing the Iranian government to block apps that piggyback on it to skirt online censorship.

By Lorenzo Franceschi-Bicchierai and Jason Koebler

Motherboard, Jan. 15, 2018 – Some Iranians have been taking the streets in the last few weeks protesting the government and asking for more freedoms. The protests have been met with violent resistance from the government’s forces on the ground, and with tightening censorship online.
After years of growing restrictions online, Iranians know a thing or two about getting around their government’s censorship system, colloquially known as the “Filternet,” and they often turn to circumvention services like Virtual Private Networks, or Tor. Censorship circumvention isn’t done just with ad hoc apps though. And sophisticated government censors have become quite good at blocking specific apps. So, sometimes, an app that would be blocked by censors can mask itself within the traffic of a popular—and approved—service.
That’s a technique known as “domain fronting,” which relies on piggybacking off of popular services like GitHub or Amazon’s AWS to make it harder for countries like Iran or China to block specific apps. The technique essentially makes the traffic of a certain app look like traffic from a major website or service that is less likely to be blocked because it’s too popular—blocking cloud services like Amazon Web Services (AWS) or Microsoft’s Azure, which are used for a multitude of different services, would be perceived worse than blocking a small service that’s used primarily to circumvent surveillance. The concept behind domain fronting has been called “collateral freedom.”
Besides AWS and GitHub, Iranian users could piggyback off of Google as well, but the Google App Engine (GAE), the service that would be used for domain fronting in this case, blocks traffic that comes from Iran. In this case, Google, not Iran is doing the blocking. The effect is that Iranians are unable to use some services that would be particularly useful during protests.
The encrypted messaging app Signal uses Google App Engine to skirt censorship in countries like Egypt, the UAE, and Oman. In Iran, however, the trick doesn’t work because Google blocks GAE in the country.
“Google does not allow access to GAE from Iran in order to comply with sanctions,” Signal’s creator Moxie Marlinspike said in a comment on GitHub.
The thing is that it’s not really clear that the current US sanctions regime toward Iran really prevents Google from providing access to GAE, and Google has not provided more information about why, specifically, it blocks inbound Iranian connections to GAE. According to Iranian internet freedom activists and experts in Iran-American digital communication policy, Google is going above-and-beyond what is required to do in compliance with US sanctions; the result is that the company cannot be used as a domain front to avoid censorship.
“Google is the only entity—the only big entity that’s doing above and beyond what they should be doing,” Nima Fatemi an Iranian independent security researcher who’s been asking Google to lift the restriction in the last few days, told Motherboard.
Collin Anderson, a researcher who has studied Iran and US sanctions’ regime for years, told Motherboard that “civil society has been pushing [Google] on this since 2013. It’s clearly not a priority to them.”